A previously unknown threat group has been discovered targeting government and military organizations in Asia Pacific. The ongoing campaign is being tracked under the name Dark Pink.

Dark Pink campaign

According to Group IB, the Dark Pink campaign is linked to seven successful attacks between June and December 2022.
  • The group started its operations in mid-2021, and the attacks increased a year later using a custom toolkit, created to steal important information from compromised networks.
  • The group used spear-phishing emails to launch its attacks and a Telegram API for C2 communications. 

How spearphishing works

  • Dark Pink APT presumably visits job boards to tailor its messages and pose as a job applicant applying as an intern for a position in PR and communications.
  • The aim, however, is to deploy KamiKakaBot and TelePowerBot, which can execute commands sent via a Telegram bot. 
  • The group then uses Ctealer and Cucky tools to steal credentials and cookies from web browsers.

Use of multiple infection chains

The campaign used numerous infection chains, where initial access was obtained via phishing messages that used a link to a booby-trapped ISO image file for malware deployment. 
  • It used a single GitHub account for hosting malicious modules (active since May 2021). This was used to drop a PowerShell script malware known as TelePowerBot. Further, the group leveraged malicious template documents to avoid detection.
  • An alternate kill chain used a decoy document included in the ISO file to get a rogue macro-enabled template from GitHub, which included TelePowerBot.
  • Recently, the group launched KamiKakaBot, a DotNET version of TelePowerBot, having an XML file located at the end of a Word document in encrypted view.

Who are the targets?

  • The targeted victims confirmed by researchers include two military bodies in the Philippines and Malaysia, government departments in Cambodia, Indonesia, and Bosnia and Herzegovina, and a religious entity in Vietnam.
  • Additionally, one unsuccessful attack was observed against an unnamed European state development body from Vietnam.

Conclusion

Dark Pink campaign has used spear-phishing tactics to distibute an entirely custom toolkit, which indicate the importance and effectiveness of this threat method. Thus, organizations are suggested to further strengthen their first line of defense by using intellegent email security solutions to detect and thawt phishing emails before they enter inside the network perimeters.
Cyware Publisher

Publisher

Cyware